I've reviewed the patch and it looks reasonable. I won't have any time to test it before January, but perhaps mhatta and villain can do that.

The changes mainly affect:
1) Console password handling. To test, set a console password on /configui
2) Jetty xml configuration file parsing. To test, go to the SSL wizard on an i2ptunnel eepsite edit page.
See if anything breaks, and check the logs for anything unusual.

For the near-term, the best approach is to maintain this as a Debian patch. I don't plan to migrate to 9.4 for a long time because it would require us to bump our minimum java requirement to Java 9, which I don't think we want to do until probably 2020 at the earliest. Perhaps we'll go to Java 8 in 2019.

I checked the patch in under debian-alt/sid/, then refreshed the patch and moved it to debian-alt/disco/ for the release, as disco switched to 9.4. I've also started a branch i2p.i2p.zzz.jetty94 that has the patch applied, and the jetty 9.4.14 jars, for testing.